On Sun, 11 Jul 2010, Arnd Bergmann wrote:
> > > @@ -265,22 +265,19 @@ static int hiddev_release(struct inode * inode, struct file * file)
> > > static int hiddev_open(struct inode *inode, struct file *file)
> > > {
> > > struct hiddev_list *list;
> > > - int res, i;
> > > -
> > > - /* See comment in hiddev_connect() for BKL explanation */
> > > - lock_kernel();
> > > - i = iminor(inode) - HIDDEV_MINOR_BASE;
> > > + struct usb_interface *intf;
> > > + struct hiddev *hiddev;
> > > + int res;
> > >
> > > - if (i >= HIDDEV_MINORS || i < 0 || !hiddev_table[i])
> > > + intf = usb_find_interface(&hiddev_driver, iminor(inode));
> >
> > What keeps the intf pointer valid after usb_find_interface() returns?
> > This seems racy.
> >
> As far as I can tell, it can only go away if hiddev_disconnect
> calls usb_deregister_dev, but that will block on minor_rwsem
> and not actually remove the device until usb_open()
> finishes.
This seems like valid explanation to me, yes.
Thanks a lot for fixing this properly Arnd, I have applied your patch.
--
Jiri Kosina
SUSE Labs, Novell Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
